From owner-freebsd-questions Thu Oct 25 18:16: 7 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 4329E37B403 for ; Thu, 25 Oct 2001 18:16:05 -0700 (PDT) Received: from pool0010.cvx9-bradley.dialup.earthlink.net ([209.178.176.10] helo=enterprise) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 15wvbQ-0000Ua-00 for freebsd-questions@freebsd.org; Thu, 25 Oct 2001 18:16:04 -0700 From: "Eric Lam" To: Subject: IPFW Rules Help Date: Thu, 25 Oct 2001 18:18:46 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I am attempting to construct an inclusive firewall, so that all ports and protocols (udp, tcp) are blocked by default, except ones specificed, such as FTP, SSH, SMB, etc... However, I am not using natd or trying to turn this into a router. I am just trying to secure the box so that only specific services and their corresponding ports are open, and everything else closed. xl0 is my ethernet card. the 207/206 ip's are my dns servers. Someone told me to do that checkstate stuff for ftp; I have no idea what that is for, please advise on that. I am wondering did I do my rules correctly. Thanks for your help. /sbin/ipfw add allow ip from any to any via lo0 /sbin/ipfw add allow ip from any to any via xl0 /sbin/ipfw add allow tcp from any to any 20 out xmit setup /sbin/ipfw add allow tcp from any to any 21 out xmit setup /sbin/ipfw add allow tcp from any to any 22 out xmit setup /sbin/ipfw add allow tcp from any to any 23 out xmit setup /sbin/ipfw add allow tcp from any to any 25 out xmit setup /sbin/ipfw add allow tcp from any to 207.151.38.154 53 out xmit setup /sbin/ipfw add allow tcp from any to 207.151.38.133 53 out xmit setup /sbin/ipfw add allow tcp from any to 206.117.120.66 53 out xmit setup /sbin/ipfw add allow tcp from any to any 80 out xmit setup /sbin/ipfw add allow tcp from any to any 110 out xmit setup /sbin/ipfw add allow tcp from any to any 139 out xmit setup /sbin/ipfw add allow tcp from any to any 3128 out xmit setup /sbin/ipfw add allow tcp from any to any via xl0 estab /sbin/ipfw add allow udp from any to any 137 out xmit /sbin/ipfw add check-state /sbin/ipfw add allow tcp from any to any keep-state /sbin/ipfw deny udp from any to any /sbin/ipfw add 65435 deny ip from any to any /sbin/ipfw add 65434 allow icmp from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message